Systems and methods for data management using zero-touch tagging

ABSTRACT

Systems and methods for data management using tagging rules and/or policies. The systems and methods described herein may allow users or administrators to easily label data, so as to organize the data in using any suitable terminology or parameters. Tagging rules (or tag rules) may apply or assign one or more tags to a data file or object. A tag may relate to various components of the data file or object. For example, a tag may relate to a creation date, author, size, or information within the data, such as whether the file or object includes a picture. Once the data is associated with one or more tags, policies may determine how the data is manipulated, stored, accessed, or otherwise used. Policies may relate to actions or operations to be performed with respect to data having one or more particular tags.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority to U.S. Provisional Application No.62/414,080, entitled Active Data Zero-Touch Tagging, and filed Oct. 28,2016, the content of which is hereby incorporated by reference herein inits entirety.

FIELD OF THE INVENTION

The present disclosure relates to data handling and management.Particularly, the present disclosure relates to systems and methods forhandling and managing stored data. More particularly, the presentdisclosure relates to systems and methods for handling and managingstored data using tags and policies.

BACKGROUND OF THE INVENTION

The background description provided herein is for the purpose ofgenerally presenting the context of the disclosure. Work of thepresently named inventors, to the extent it is described in thisbackground section, as well as aspects of the description that may nototherwise qualify as prior art at the time of filing, are neitherexpressly nor impliedly admitted as prior art against the presentdisclosure.

One of the largest issues facing users of data storage systems, andparticularly large data storage systems storing billions of files andobjects, is the ability to manage the performance, protection,organization, accessibility, and life-cycle of the data intelligently.Data storage costs, as well as data privacy and security concerns, thegrowing need to maintain large quantities of data long term, and otherconcerns present unique problems for data handling and data storagesystems. Some existing systems can be cumbersome and do not allow forready access or maneuverability of stored data. Accordingly, there is aneed in the art for improved data handling and management systems andmethods. In particular, there is a need in the art for systems andmethods for managing stored data in a way that allows users to manageperformance, protection, organization, accessibility, and life-cycle ofthe data with relative ease.

BRIEF SUMMARY OF THE INVENTION

The following presents a simplified summary of one or more embodimentsof the present disclosure in order to provide a basic understanding ofsuch embodiments. This summary is not an extensive overview of allcontemplated embodiments, and is intended to neither identify key orcritical elements of all embodiments, nor delineate the scope of any orall embodiments.

The present disclosure, in one or more embodiments, relates to a datahandling system. The data handling system may have a tag rule databasestoring tag rules as non-transitory computer readable media. Each tagrule may define when data should be tagged. A data handling system mayadditionally have a policy database storing policies as non-transitorycomputer readable media, each policy defining when a policy operationshould be performed with respect to tagged data. The data handlingsystem may have a controller programmed with computer executableinstructions for receiving data, including a data file and/or dataobject. The controller may additionally be programmed for comparing thereceived data to a tag rule to determine if the data should be taggedwith a tag. Moreover, based on the comparison, the controller may tagthe data by storing an association between the data and the tag. Thecontroller may compare the tag to a policy to determine if a policyoperation should be performed with respect to the data. In someembodiments, the data handling system may additionally have a mappingdatabase storing, as non-transitory computer readable media,associations between data and tags. The data handling system may have adata storage device storing data as non-transitory computer readablemedia, and the controller may be programmed to store the received dataon the data storage device. The controller may additionally beprogrammed to perform a policy operation based on the comparison of thetag to the policy. In some embodiments, the data may include metadata,and the controller may be programmed to compare the metadata to a policyto determine if a policy operation should be performed with respect tothe data. In some embodiments, the tag rule compared to the receiveddata may be a user defined tag rule. Moreover, the policy compared tothe tag may be a user defined policy. The policy may relate to movingthe data or storing the data in a predetermined type of storage. In someembodiments, the tag rule may be an automatically generated tag rule.The data handling system may have a natural language system in someembodiments. The natural language system may include a natural languageengine and a natural language dictionary database having storedcorrelations between natural language and computer executable steps. Theprocessing engine may be programmed with instructions for receivingnatural language user commands and converting the user commands tocomputer executable steps. In some embodiments, the controller mayadditionally be programmed with computer executable instructions forsending at least a portion of received data to a client for additionaltagging. In some embodiments, this may be performed via a webhook,message queue, or similar mechanism.

The present disclosure, in one or more embodiments, additionally relatesto a method for data handling. The method may include receiving, over awired or wireless network, data at a data ingest module via datareceiving hardware circuitry, the data including a data file and/or dataobject. The method may include comparing the data to a stored tag rulevia a tag rules engine using tag rule hardware circuitry to determine ifthe data should be tagged with a tag. The method may include tagging thedata by storing, as non-transitory computer readable media, anassociation between the data and the tag. Moreover, the method mayinclude comparing the tag to a stored policy via a policy engine usingpolicy hardware circuitry to determine if a policy operation should beperformed with respect to the data. In the some embodiments, the methodmay including storing the received data on a data storage device.Moreover, based on the comparison of the tag to the policy, the methodmay include performing the policy operation. In some embodiments, thetag rule may be a user defined tag rule, and the policy may be a userdefined policy. The policy may relate to moving the data or storing thedata in a predetermined type of storage.

The present disclosure, in one or more embodiments, additionally relatesto a data handling system having a data ingest module, a tag rulesengine, a policy engine, and a mapping database. The data ingest mayhave data receiving hardware circuitry for receiving a data file and/ordata object. The tag rules engine may have tag rules hardware circuitryfor comparing the received data to a stored tag rule to determine if thedata should be tagged with a tag. The policy engine may have policyhardware circuitry for comparing the tag to a stored policy to determineif a policy operation should be performed with respect to the data. Themapping database may store, as non-transitory computer readable media,associations between data and tags. In some embodiments, the datahandling system may have a natural language system including a naturallanguage processing engine and a natural language dictionary databasestoring correlations between natural language and computer executablesteps. The processing engine may be programmed with computer executableinstructions for receiving natural language user commands and convertingthe user commands to computer executable steps.

While multiple embodiments are disclosed, still other embodiments of thepresent disclosure will become apparent to those skilled in the art fromthe following detailed description, which shows and describesillustrative embodiments of the invention. As will be realized, thevarious embodiments of the present disclosure are capable ofmodifications in various obvious aspects, all without departing from thespirit and scope of the present disclosure. Accordingly, the drawingsand detailed description are to be regarded as illustrative in natureand not restrictive.

BRIEF DESCRIPTION OF THE DRAWINGS

While the specification concludes with claims particularly pointing outand distinctly claiming the subject matter that is regarded as formingthe various embodiments of the present disclosure, it is believed thatthe invention will be better understood from the following descriptiontaken in conjunction with the accompanying Figures, in which:

FIG. 1 is a flow diagram of a data management system of the presentdisclosure, according to one or more embodiments.

FIG. 2 is a conceptual diagram of hierarchical tag associations that maybe stored in the mapping database, according to one or more embodiments.

FIG. 3A is a conceptual diagram of age tag associations that may bestored in the mapping database, according to one or more embodiments.

FIG. 3B is another conceptual diagram of age tag associations that maybe stored in the mapping database, according to one or more embodiments.

FIG. 4 is a hardware diagram of a data management system of the presentdisclosure, according to one or more embodiments.

FIG. 5 is a flow diagram of a method for data management of the presentdisclosure, according to one or more embodiments.

FIG. 6 is a diagram of a natural language system of the presentdisclosure, according to one or more embodiments.

DETAILED DESCRIPTION

The present disclosure relates to novel and advantageous systems andmethods for data management. Particularly, the present disclosurerelates to novel and advantageous systems and methods for datamanagement using tagging rules and/or policies. In general, the systemsand methods described herein may allow users or administrators to easilylabel data, so as to organize the data in using any suitable terminologyor parameters. Tagging rules (or tag rules) may apply or assign one ormore tags to a data file or object. A tag may relate to variouscomponents of the data file or object. For example, a tag may relate toa creation date, author, size, or information within the data, such aswhether the file or object includes a picture. Tags may be definedmanually by a user or administrator, or may be created automatically bythe system or partially automatically based on one or more predefinedparameters. A data file or object may be assigned multiple tags forvarious purposes. By applying tags to the data, users may be able tomore efficiently manipulate, store, or access the data. Once the data isassociated with one or more tags, policies may determine how the data ismanipulated, stored, accessed, or otherwise used. Policies may relate toactions or operations to be performed with respect to data having one ormore particular tags. Policies may be defined manually by a user oradministrator, or may be created automatically by the system orpartially automatically based on one or more predefined parameters. Asingle data file or objet may be subject to multiple policies in someembodiments. Data management systems and methods described herein maygenerally help to provide appropriate and efficient protection,organization, performance, life-cycle, storage, and handling of data.

Turning now to FIG. 1, a data management system 100 of the presentdisclosure is shown, according to one or more embodiments. As shown, thesystem may generally include a data ingest module 102, a tag rulesengine 104, a policy engine 106, a mapping database 108, and datastorage 110.

The data ingest module 102 may include hardware and/or software forreceiving data, including data files 114 and/or data objects 116. Forexample, the data ingest module 102 may receive data 114, 116 from aclient or a client system. The client 112 may include a user,administrator, server, application, program, database, operating system,container, and/or other system component. The data 114, 116 may be sentby the client 112 automatically, partially automatically, or manually.For example, a client 112 may be a user who selects a particular file114 or object 116, or batch of files or objects, to send to the dataingest module 102. In other embodiments, a client 112 system mayautomatically send new data writes, such as on pre-existing files orobjects, to the data ingest module 102. In still other embodiments, thedata ingest module 102 may send a request to the client 112 for any newdata writes, such that the data ingest module may receive data writes inresponse to its request. The data ingest module 102 may receive thefiles 114 and/or object 116 in any suitable format. The data ingestmodule 102 may store received data in the data storage 110 in someembodiments. In some embodiments, the data ingest module 102 may receiveboth write and read requests. A read request may relate to data storedin the data storage. In response to a read request, the data ingestmodule 102 may provide access to the requested data.

The data ingest module 102 may additionally be configured to communicateor send file/object information to the tag rules engine 104 and/ormapping database 108. File/object information may be information relatedto or extracted from the received file 114 or object 116. In general,file/object information may include information from or about the file114 or object 116 that may be subject to one or more tag rules. Forexample, file/object information may include, but is not limited to,name; path; size; extension; multipurpose internet mail extensions(MIME) type; client IP address, host name, or other identifier; useridentifier; S3 metadata; network file system (NFS) attributes; servermessage block (SMB) access control list; NFS access control list;creation date; creation time; modification date; modification time;author; access date, access time; and/or other metadata, attributes, orinformation related to or extracted from the file 114 or object 116 oravailable from the protocol of the particular interface (i.e., NFS, SMB,HDFS, S3, Swift, or others). The data ingest module 102 may sendfile/object information to the tag rules engine 104 to determine whetherany tag rules apply to the data 114, 116. If tag rules do apply to thedata 114, 116, the data ingest module 102 may send the file/objectinformation to the mapping database 108 for storing tag associations. Insome embodiments, file/object information may include previousinformation, such as previous metadata, attributes, or other informationrelated to or extracted from the file 114 or object 116, particularly ifthe data is a write to an existing file or object. This may help thedata ingest module 102, tag rules engine 104, and/or mapping database108 determine if any file/object information has changed.

The data ingest module 102 may include only hardware, only software, ora combination of hardware and software. For example, in someembodiments, the data ingest module 102 may include hardware, such asfor example a controller, processor, hardware circuitry, and/or otherhardware components described herein. Hardware circuitry may includereceiving hardware circuitry, data accessing hardware circuitry, sendinghardware circuitry, or other hardware circuitry. The controller,processer, hardware circuitry, and/or other hardware components may beconfigured to run or operate one or more software programs orapplications for receiving data from and communicating data to the rulesengine 104, mapping database 108, and/or data storage 110. Moreover, insome embodiments, the data ingest module 102 may be described as alayer, component, module, or element of a system. Such layer, component,module, or element may include hardware and/or software, as describedabove, for performing the above-described operations of the data ingestmodule 102.

In addition to receiving files 114 and objects 116, it is to beappreciated that the data ingest module 102 may generally receive otherinput/output (I/O) from clients 112 or other users. For example, thedata ingest module 102 may receive a read request for data stored in thedata storage 110. The data ingest module 102 may communicate with thedata storage 100 to access the requested data for the read, and may makethe requested data available to the user. Additionally, the data ingestmodule 102 may receive a write or modify request for data stored, or tobe stored, in the data storage 110. The data ingest module 102 maycommunicate with the data storage 110 to write or modify data to thedata storage. In addition to writing or modifying the data, the dataingest module 102 may send file/object information for the data to thetag rules engine 104. This process of receiving a write or modifyrequest is described in more detail below with respect to FIG. 5.Additionally, the data ingest module 102 may receive a delete request todelete existing data in the data storage 110. In addition to deletingthe relevant data from the data storage 110, the data ingest module 102may send file/object information for the data to be deleted to the tagrules engine 104, such that tag information related to the data to bedeleted may also be deleted. This may include deleting some informationfrom the mapping database 108. In this way, the data ingest module 102may generally receive and direct any user I/O requests related to datastored in the data storage 110.

With continued reference to FIG. 1, the tag rules engine 104 may comparefile/object information received from the data ingest module 102 withone or more tag rules to determine if one or more tags should beassociated with the data 114, 116. Tag rules may be, for example,if/then or similar statements that dictate data 114, 116 with particularmetadata, attributes, or other file/object information should beassociated with, or assigned, a particular information tag or label. Asa particular example, a tag rule may dictate that all data 114, 116received from “Client A” should be associated with, or should receive,the tag “TAG-A.” Similarly, as another example, a tag rule may dictatethat all data 114, 116 of the datatype “executable” should be associatedwith, or should receive, the tag “TAG-B.” In this way, incoming data114, 116 may be tagged or labeled into particular categories, such thatit may be identified more easily and efficiently by those categories. Insome embodiments, a tag rule may relate to a file/object informationrange. For example, a tag rule may dictate that all data 114, 116received from a particular range of IP addresses should be associatedwith, or should receive, a particular tag. Similarly, a tag rule maydictate that all data 114, 116 received within a particular date rangeshould be associated with, or should receive, a particular tag.Moreover, a tag rule may relate to various combinations of multipletypes of file/object information. For example, a tag rule may dictatethat all data 114, 116 received from “Client A” and received within aparticular date range, should be associated with, or should receive, aparticular tag. Other tag rules may relate to three, four, five, six, ormore types of fields of file/object information. In this way, tag rulesand tags may be relatively customizable and range from relatively easyand straightforward to relatively complex. Additionally, in someembodiments, a tag rule may apply multiple tags for particularfile/object information. Below are some additional, but non-limiting,examples of tag rules:

-   -   By export type: Data ingested into a particular exported file        system may be tagged.    -   By IP address: Data received from a particular IP address, range        of IP addresses, or subnet mask may be tagged.    -   By user: Data created by a particular user, NFS uid, username,        Active Directory, or LDAP username, or user token may be tagged.    -   By extension: Data with a particular extension or extension type        may be tagged. For example, all data with extensions .jpg, .png,        or .gif may be tagged as images.    -   By path: Data associated with particular directory components        may be tagged with one or more tags for that path.

Tags and tag rules may be created or defined by various means. Ingeneral, tags and tag rules may be defined manually, automatically, orpartially automatically. For example, a user or administrator may defineparticular tag rules and/or tags to be applied for those rules. Ingeneral, a user or administrator may define any desirable tag rules toapply tags based on various determinable file/object information. Tagsand tag rules may be defined before data 114, 116 is received by thedata ingest module 102, such that file/object information may becompared to the predefined tag rules as the data is received, or shortlythereafter. The creation of predefined tag rules may allow data to betagged upon, or shortly after, being received or stored. Additionally,however, tag rules may be compared to data stored in the data storage110. For example, a user may wish to apply a newly created tag rule todata already stored in the data storage 110.

In some embodiments, a user or administrator may have the ability tomanually tag data. For example, a user or administrator may choose totag a particular group of files with a tag “TAG-D.” The user may selectthese files and associate them with TAG-D, without using a tag rule. Inthis way, a user may have the option to tag data files or objectswithout being limited to identifiable file/object information, and maythus apply any desired tag to any files or objects. The associationbetween the data files and the TAG-D tag may be stored in the mappingdatabase 108, for example, as if it was created via a tag rule, asdescribed below. Manual tagging may be performed using an applicationprogram interface (API) such as a representational state transfer (REST)API in some embodiments.

In some embodiments, tags and/or tag rules may be created or defined bymultiple users. For example, in some embodiments, role-based accesscontrol may be used to permit particular users or administrators rightsfor adding, removing, or modifying tags associated with data. In someembodiments, multiple users may be permitted to propose data tags, andone or more administrative users may be permitted to confirm proposeddata tags. In some embodiments, tag creation or proposal may beoutsourced, such as to other entities or companies, or may be performedvia crowd sourcing. This may be particularly beneficial where a largenumber of files and/or objects needs tagging. In some embodiments, usersor others proposing or creating tags may be granted different views oraccess rights. For example, users tasked with proposing or assigningtags may be permitted to view only structured information about theunderlying data, but not the data itself. In other embodiments, theusers may be permitted to view only a portion of the underlying data.This may be beneficial where the data may be proprietary or voluminous.

In some embodiments, tags and/or tag rules may be automaticallygenerated or proposed by the tag rules engine 104 or another componentof the system 100. For example, the tag rules engine 104 mayautomatically generate and assign tags as file/object information fordata 114, 116 is received and reviewed. For example, automatic tags mayrelate to age of the data, file name extensions, file data headers, filedata checks, users, clients, and sources of the data. Below are someexamples of types of tags that may be automatically generated based onfile/object information.

-   -   Tags based on date information        -   Age in months        -   Age in weeks        -   Age in days        -   Creation date        -   Creation year        -   Creation month        -   Creation day        -   Modify date        -   Access date    -   Tags based on file name extensions        -   MIME-TYPE    -   Tags based on headers        -   DATA-MEVIE-TYPE        -   EXECUTABLE        -   DOCUMENT    -   Tags based on file data checks (checksums, formats, etc.)        -   DATA-FORMAT-OK        -   DATA-FORMAT-INVALID (e.g., a tar.gz file has errors)        -   DATA-HASH-INVALID (e.g., the file data does not match a            stored hash)    -   Tags based on user or author information        -   Creation user (the user who created the data)        -   Access user (users who have accessed the data)        -   Modify user (users who have modified the data)    -   Tags based on client information        -   Creation client (the client who created the data)        -   Access client (clients who have accessed the data)        -   Modify client (clients who have modified the data)    -   Tags based on source information        -   Application cluster identities        -   IP addresses        -   Host names        -   Subnets and IP ranges

In some embodiments, automatically generated tags may be based onmetadata or other file 114 or object 116 attributes. In otherembodiments, metadata may be used instead of, or in addition to, tags.In some embodiments, tags may be automatically generated based on use.For example, where a user often accesses data with a particularattribute or tag, a tag may be automatically generated to identify thedata as frequently accessed.

In some embodiments, a webhook, message queue, or other application orprogram may allow for additional or alternative data tagging. Forexample, a webhook may be used to send a client's data, or a portion ofthe client's data from the system back to the client for additional oralternative tagging. In one particular example, data that may besensitive or private, such as HIPAA data or other secure company data,may be tagged separately by the client using the webhook. The taggeddata may then be returned to the system for application of policies viathe policy engine. As another example, a security application may tagdata as “quarantine data,” indicating the data may have a securityconcern and/or should be subject to additional review. In general, thewebhook may allow a client or other user to tag their own data, or tagdata independently from other systems.

In some embodiments, tag rules may be stored in the mapping database108. In other embodiments, tag rules may be stored in another databaseor another location. For example, tag rules may be stored on tag ruleengine 104 hardware.

To determine if a particular data file 114 or object 116 should receive,or be associated with, one or more tags, the tag rule engine 104 maycompare the file/object information for the data with predefined tagrules. If the tag rule engine 104 determines that a data file 114 orobject 116 satisfies one or more tag rules, and thus should beassociated with one or more tags, the tag rule engine may “tag” thedata. Tagging the data may include storing an association between a tagand the data file or object in, for example, the mapping database 108.In other embodiments, tagging the data may include appending one or moretags to the data stored in the data storage 110. In still otherembodiments, the tag rules engine 104 may employ other methods oftagging the data.

In some embodiments, tags may be generated and/or assignedhierarchically, such that tags may be assigned to other tags. This maybe particularly beneficial with a large number of data files 114 orobjects 116. For example, while a user or administrator may apply ordefine a variety of simple or high level tags, more complex and/or moreflexible tags may also be defined and/or maintained in the system 100and assigned hierarchically. FIG. 2 shows one embodiment of ahierarchical tagging structure. As shown, files 114 and objects 116 maybe assigned a first level of tags. The first level 202 or tier of tagsmay be tagged by a second level 204 or tier of tags, which maycategorize the data differently, more broadly, or more narrowly than thefirst level of tags. In some embodiments, the second level 204 of tagsmay be generated manually, automatically, or partially automatically.

FIG. 2 illustrates an example of how hierarchical tags may be usedflexibly. For example, the first level 202 of tags shown in FIG. 2 maybe generated automatically based on data type. In general, these datatype tags may remain unchanged once determined, because the data type isunlikely to change. The second level 204 of tags may be used tocategorize the first level 202 of tags. For example, an “All Files” tag206 may apply to all files, an “All Objects” tag 208 may apply to allobjects, and an “All Pictures” tag 210 may be used to identify all data(files or objects) that contain pictures.

Another example of hierarchical tags is data age tagging. Often,operations performed with stored data relate to the age of the data. Forexample, a user may wish to maintain active data for three years, thenmove the data to archive, and then delete the data after five years. Ora user may wish to view all data that is less than a week old. However,tagging based on age poses a particular problem—the age is alwayschanging based on the current date. For example, if a user wishes toidentify data age on a granularity level of days, the age of each filewill change daily. FIGS. 3A and 3B show an example of the use ofhierarchical tagging for identifying data age. As shown in FIG. 3A, afirst level 302 or tier of tags identifies data creation dates. Files Aand B, created on Apr. 14, 2016, are tagged with their creation date.Similarly, Files C and D are tagged with their creation date of Apr. 15,2016. These first level 302 creation date tags may be generatedautomatically or may be applied based on comparison with a tag rule. Thefirst level 302 of tags may generally remain unchanged, as the creationdate of the data is unlikely to change. A second level 304 or tier oftags may be used to tag the creation dates with an age, which maychange. As shown in FIG. 3A, day granularity and week granularity tagsmay be used, for example. As shown in FIG. 3A, as of Apr. 21, 2016,Files A, B, C, and D, are all 0 weeks old (0-6 days), and the tag“Age_Weeks_0” is applied to both creation date tags. Any action takenfor data that is less than or equal to one week old would include FilesA, B, C, and D. Additionally, the creation date tags for Files A and Bmay be tagged with “Age_Days_7,” and the creation date tags for Files Cand D may be tagged with “Age_Days_6.” Any action taken for data that isexactly 6 days old would include Files C and D, and any action taken fordata that is exactly 7 days old would include Files A and B. As shown inFIG. 3B, on the following day of Apr. 22, 2016, the age tag associationsmay change, because the data is now one day older. While the creationdate tags may not change, associations with the more flexible secondlevel 304 of tags related to age may be modified. In particular, whilethe creation date tag for Files C and D may be unchanged, the creationdate tag may be tagged with the Age_Days_7 tag. The Age_Days_6 tag maybe removed from, or disassociated with, the creation date tag for FilesC and D. The creation date tag for Files C and D may continue to beassociated with the Age_Weeks_0 tag. Additionally, while the creationdate tag for Files A and B may be unchanged, the creation date tag maybe tagged with an “Age_Days_8” tag, as well as an “Age-Weeks_1” tag. TheAge_Days_7 and Age_Weeks_0 tags may be removed from, or disassociatedwith, the creation date tag for Files A and B. These age tagassociations may update automatically from day to day, week to week,month to month, or otherwise based on the lowest granularity tagged. Inthis way, instead of changing individual age tags for every file in thesystem, only a smaller number of tag associations need be updated tomaintain age tags.

In some embodiments, data tagging may be used to determine or trackwhere data was initially created, where it was copied from, and in somecases, may allow recovery from the original source. A data source may bea user, a client, an application, a cluster, a machine, or anothersource. Sources may be hierarchical and/or geographical. In someembodiments, source discovery for a data file or object may includeexamination of hosts that write to a same file, directory, or filesystem. Source discovery may further include examination of the hoststhat read a same file. This may be performed by examining the host tags,path tags, and other tags for the data. Tags related to IP addresses andhost identifiers for creation, and IP addresses and host identifiers forusers accessing the data may additionally be used in determining asource for a data file or object. In some embodiments, an access map maybe created to organize and compare this data. Correlations and patternsmay be found to determine groups of addresses that frequently readand/or write a set of files. Information from clusters or plugins, forexample, may be used to validate this information. In some embodiments,correlation algorithms may be used to determine groups of addresses orusers that frequently read and/or write a set of files to help identifysource.

The tag rules engine 104 may include only hardware, only software, or acombination of hardware and software. For example, in some embodiments,the tag rules engine 104 may include hardware, such as for example acontroller, processor, hardware circuitry, and/or other hardwarecomponents described herein. Hardware circuitry may include receivinghardware circuitry, data accessing hardware circuitry, sending hardwarecircuitry, tagging hardware circuitry, tag rule application hardwarecircuitry, or other hardware circuitry. The controller, processer,hardware circuitry, and/or other hardware components may be configuredto run or operate one or more software programs or applications forreceiving data from and communicating data to the data ingest module102, mapping database 108, and/or policy engine 106. Moreover, in someembodiments, the tag rules engine 104 may be described as a layer,component, module, or element of a system. Such layer, component,module, or element may include hardware and/or software, as describedabove, for performing the above-described operations of the tag rulesengine 104.

With reference back to FIG. 1, the mapping database 108 may storeassociations between data files 114 and/or objects 116 and tags. Thatis, if it is determined that a data file 114, for example, should beassociated with, or should receive, a particular tag, such as TAG-A, themapping database 108 may store an association between that data file andTAG-A. If the data file 114 is associated with other tags, the mappingdatabase 108 may additionally store relationships or associationsbetween the data file and those tags as well. In this way, while thedata itself may be stored in the data storage 110, the mapping database108 may store data-tag associations. FIGS. 2 and 3, described above,show some examples of data-tag associations that may be stored in themapping database 108.

The tag rules engine 104 may notify the policy engine 106 of tagsrelated to data and/or file/object information. In some embodiments, thetag rules engine 104 and/or mapping database 108 may additionally directtagging information to a tag statistics engine, as described in U.S.Patent Application entitled Systems and Methods for Viewing andAccessing Data Using Tagging, having Attorney Docket No.20486.6.0002.US.U2, filed the same day as the present application onOct. 27, 2017, and having U.S. patent application Ser. No. 15/795,961,the content of which is hereby incorporated by reference herein in itsentirety.

The policy engine 106 may receive tag information from the tag rulesengine 104 and/or mapping database 108. Information may be sent to, andreceived by, the policy engine 106 in any suitable format. The policyengine 106 may be configured to apply one or more policies to the databased on the tags associated with the data. A policy may provide forviewing, storing, accessing, moving, deleting, copying, identifying,protecting, securing, or otherwise manipulating or using the data basedon tagging. For example, a policy may include moving all data with aparticular tag to a particular storage location at a particular time.Similarly, a policy may include displaying all data with a particulartag and a particular creation date range. Policies may be, for example,if/then or similar statements dictating that particular operationsshould be performed with respect to data having particular tags,metadata, and/or other attributes. Policies may be defined by a user oradministrator. Policies may be predefined or may be defined as needed oron demand. In some embodiments, policies may be generated or proposedautomatically. Policies may include more than one tag, including manualtags, and/or tags based on metadata or other file/object information.Where two or more policies conflict or result in different operations,predetermined rules may help to resolve the conflict. For example, rulesmay dictate that particular types of policies, or policies resulting inparticular operations may outweigh other conflicting policies.

The policy engine 106 may include only hardware, only software, or acombination of hardware and software. For example, in some embodiments,the policy engine may include hardware, such as for example acontroller, processor, hardware circuitry, and/or other hardwarecomponents described herein. Hardware circuitry may include receivinghardware circuitry, data accessing hardware circuitry, sending hardwarecircuitry, policy hardware circuitry, or other hardware circuitry. Thecontroller, processer, hardware circuitry, and/or other hardwarecomponents may be configured to run or operate one or more softwareprograms or applications for receiving data from and communicating datato the tag rules engine 102, mapping database 108, and/or data storage110. Moreover, in some embodiments, the policy engine 106 may bedescribed as a layer, component, module, or element of a system. Suchlayer, component, module, or element may include hardware and/orsoftware, as described above, for performing the above-describedoperations of the policy engine 106.

The data storage 110 may store data accessible by the data ingest module102 and/or policy engine 106. The data storage 110 may include randomaccess storage, flash storage, and/or other suitable storage types. Thedata storage 110 may include more than one database in some embodiments.Moreover, the data storage 110 may include local and/or remotedatabases. In some embodiments, the data storage 110 may include cloudstorage drives. In some embodiments, the data storage 110 may relate toa particular client or user. In some embodiments, the data storage 110may be provided or owned by a particular client or user. However, inother embodiments, the data storage 110 may store data related to morethan one client or user. In some embodiments, data may be stored in thedata storage 110 in accordance with the systems and methods described inU.S. Patent Application entitled Systems and Methods for Random toSequential Storage Mapping, having Attorney Docket no.20486.7.0003.US.U2, filed the same day as the present application onOct. 27, 2017, and having U.S. patent application Ser. No. 15/796,234,the content of which is hereby incorporated by reference herein in itsentirety.

The data storage 110 may include hardware and/or software. For example,in some embodiments, the data storage 110 may include hardware, such asfor example a controller, processor, storage hardware circuitry, and/orother hardware components described herein. The controller, processer,hardware circuitry, and/or other hardware components may be configuredto run or operate one or more software programs or applications forreceiving data from the data ingest module 102, providing data to thedata ingest module and/or policy engine 106, and/or providing clientaccess to the data.

FIG. 4 shows a hardware diagram of the data management system 100,according to one or more embodiments. In general, software for the dataingest module 102, tag rules engine 104, policy engine 106, mappingdatabase 108, and/or other components of the system 100 may operate onone or more controllers 402 and/or on a cloud based system 404. The oneor more controllers 402 may be arranged on one or more chassis 406, forexample. The controllers 402 and/or cloud system 404 may communicateover a wired or wireless network with one or more data storage devices408. The data storage device(s) 408 may include the data storagedescribed above with respect to FIG. 1. The data storage device(s) 408may include RAM memory, flash memory, and/or any other suitable memorydevices or types. In some embodiments, the one or more controllers 402and the cloud system 404 may communicate with one another over a wiredor wireless network. In some embodiments, portions of the system 100 maybe run or executed using the controllers 402, for example, whileportions of the system may be run or executed using the cloud system404.

More generally, the system 100 may include any instrumentality oraggregate of instrumentalities operable to compute, calculate,determine, classify, process, transmit, receive, retrieve, originate,switch, store, display, communicate, manifest, detect, record,reproduce, handle, or utilize any form of information, intelligence, ordata for business, scientific, control, or other purposes. For example,the system 100 or any portion thereof may be a minicomputer, mainframecomputer, personal computer (e.g., desktop or laptop), tablet computer,mobile device (e.g., personal digital assistant (PDA) or smart phone) orother hand-held computing device, server (e.g., blade server or rackserver), a network storage device, or any other suitable device orcombination of devices and may vary in size, shape, performance,functionality, and price. The system 100 may include volatile memory(e.g., random access memory (RAM)), one or more processing resourcessuch as a central processing unit (CPU) or hardware or software controllogic, ROM, and/or other types of nonvolatile memory (e.g., EPROM,EEPROM, etc.). A basic input/output system (BIOS) can be stored in thenon-volatile memory (e.g., ROM), and may include basic routinesfacilitating communication of data and signals between components withinthe system. The volatile memory may additionally include a high-speedRAM, such as static RAM for caching data.

Additional components of the system 100 may include, in addition to oralternative to the data storage devices, one or more disk drives or oneor more mass storage devices, one or more network ports forcommunicating with external devices as well as various input and output(I/O) devices, such as a keyboard, a mouse, touchscreen and/or a videodisplay. Mass storage devices may include, but are not limited to, ahard disk drive, floppy disk drive, CD-ROM drive, smart drive, flashdrive, or other types of non-volatile data storage, a plurality ofstorage devices, a storage subsystem, or any combination of storagedevices. A storage interface may be provided for interfacing with massstorage devices, for example, a storage subsystem. The storage interfacemay include any suitable interface technology, such as EIDE, ATA, SATA,and IEEE 1394. The system 100 may include what is referred to as a userinterface for interacting with the system, which may generally include adisplay, mouse or other cursor control device, keyboard, button,touchpad, touch screen, stylus, remote control (such as an infraredremote control), microphone, camera, video recorder, gesture systems(e.g., eye movement, head movement, etc.), speaker, LED, light,joystick, game pad, switch, buzzer, bell, and/or other user input/outputdevice for communicating with one or more users or for enteringinformation into the system. These and other devices for interactingwith the system 100 may be connected to the system through I/O deviceinterface(s) via a system bus, but can be connected by other interfacessuch as a parallel port, IEEE 1394 serial port, a game port, a USB port,an IR interface, etc. Output devices may include any type of device forpresenting information to a user, including but not limited to, acomputer monitor, flat-screen display, or other visual display, aprinter, and/or speakers or any other device for providing informationin audio form, such as a telephone, a plurality of output devices, orany combination of output devices.

The system 100 may also generally include one or more buses operable totransmit communications between the various hardware components. Asystem bus may be any of several types of bus structure that can furtherinterconnect, for example, to a memory bus (with or without a memorycontroller) and/or a peripheral bus (e.g., PCI, PCIe, AGP, LPC, etc.)using any of a variety of commercially available bus architectures.

One or more programs or applications, such as a web browser and/or otherexecutable applications, may be stored in one or more of the system datastorage devices. For example, the data ingest module 102, tag rulesengine 104, and policy engine 106 may be or include programs orapplications stored in, and configured to run or execute on, the system100. Generally, programs may include routines, methods, data structures,other software components, etc., that perform particular tasks orimplement particular abstract data types. Programs or applications maybe loaded in part or in whole into a main memory or processor duringexecution by the processor. One or more processors or controllers mayexecute applications or programs to run systems or methods of thepresent disclosure, or portions thereof, stored as executable programsor program code in the memory, or received from the Internet or othernetwork. Any commercial or freeware web browser or other applicationcapable of retrieving content from a network and displaying pages orscreens may be used. In some embodiments, a customized application maybe used to access, display, and update information. A user may interactwith the system, programs, and data stored thereon or accessible theretousing any one or more of the input and output devices described above.

The system 100 may operate in a networked environment using logicalconnections via a wired and/or wireless communications subsystem to oneor more networks and/or other computers. Other computers can include,but are not limited to, workstations, servers, routers, personalcomputers, microprocessor-based entertainment appliances, peer devices,or other common network nodes, and may generally include many or all ofthe elements described above. Logical connections may include wiredand/or wireless connectivity to a local area network (LAN), a wide areanetwork (WAN), hotspot, a global communications network, such as theInternet, and so on. The system 100 may be operable to communicate withwired and/or wireless devices or other processing entities using, forexample, radio technologies, such as the IEEE 802.xx family ofstandards, and includes at least Wi-Fi (wireless fidelity), WiMax, andBluetooth wireless technologies. Communications can be made via apredefined structure as with a conventional network or via an ad hoccommunication between at least two devices. In some embodiments, some orall of the components, applications, or programs of the system 100 orany system of the present disclosure may be provided as cloud-basedcomponents, or may be otherwise provided by, executed on, or supportedby, a cloud system.

FIG. 5 shows a method 500 of data management that may be performed usinghardware and/or software of the system 100 according to variousembodiments of the present disclosure. As shown, the method 500 mayinclude the steps of receiving a data file or data object 502; storingthe data file or data object 504; comparing the data file or data objectwith tag rules to determine tag association(s) 506; storing tagassociation(s) for the data file or data object 508; comparing the tagassociation(s) with policies 510; performing the policy operations 512;and maintaining the policy operations 514. In other embodiments, themethod 500 may include additional and/or alternative steps.

Receiving a data file or data object 502 may include receiving data viaa data ingest module or other data receiving module or layer. Asdescribed above with respect to the data ingest module, the data may bereceived in any suitable format. Upon receipt, the data file or objectmay be stored in a data storage or other suitable database or storagelocation 504. The data may be stored according to any suitable storagescheme. In some embodiments, the step of comparing the data file or dataobject with tag rules 506 may be performed simultaneously with storingthe data 504, or before or after storing the data. Comparing the datawith tag rules 506 may be performed by a tag rules engine. As describedabove, file or object information, such as metadata and/or otherinformation about the data may be compared to predefined tag rules.Based on the comparing, the tag rules engine, or another module orlayer, may determine that one or more tags should be associated with thedata file or object. Associations between the data and the one or moreapplicable tags may be stored in, for example, the mapping database 508.However, in other embodiments, tags that apply to the data may beappended to and/or stored with the data. The method 500 may additionallyinclude comparing the tag association(s) with policies to determine ifany policies, such as storage policies, display policies, or others,apply to the data 510. Based on the comparison, if it is determined thatone or more policies apply to the data via the associated tags, thepolicy operations may be performed with respect to the data 512.

Moreover, one or more policy operations may be maintained 514.Maintaining policy operations may include performing additionaloperations, such as where a policy requires continuous or repeatedoperations or requirements. Maintaining policy operations mayadditionally include revising operations or requirements in response topolicy modifications. That is, where a policy is modified, maintainingpolicy operations may include ensuring that updated or revisedoperations are performed with respect to previously tagged data.Additionally, in some embodiments, the tag association(s) for the datamay be compared with policies 510 more than once, such as at intervals,intermittently, or on demand, as policies and/or tagging may change.

In some embodiments, a system of the present disclosure may beconfigured to allow for tags, tag rules, and/or policies to be definedusing natural language. That is, a system of the present disclosure maybe configured to receive user commands for defining a tag, a tag rule,or a policy in natural language, and automatically convert thosecommands to computer readable instructions needed to carry out theuser's natural language commands. For example, FIG. 6 shows oneembodiment of a natural language system 600 that may be included in, orused in conjunction with, systems and methods of the present disclosure.In some embodiments, the natural language system 600 may have aprocessing engine 602, a dictionary 604, and a controller 606.Additionally, support services 608 may provide local or remote supportfor the natural language system.

The processing engine 602 may be configured to receive natural languagecommands from a user 610. The user 610 may enter the commands at a userinterface, for example. In some embodiments, the user 610 may say orspeak the natural language commands, such as via a smartphone or othervoice command system. The commands may relate to defining tags, tagrules, and/or policies. Moreover, the processing engine 602 may beconfigured to convert the natural language commands to computer readableand executable processing steps needed to carry out the commands. Insome embodiments, one natural language command may convert into multiplecomputer executable processing steps. Below are some examples of naturallanguage commands, and corresponding processing steps to carry out thecommands.

Example of Computer Executable Natural Language Command Steps toAccomplish Command Move all Marketing data 1. Find the tag named“Marketing” to the cloud 2. Find a policy that has Data Placement asCloud. If not found, create policy that has Data Placement as Cloud. 3.Determine if the “Marketing” tag already has a Data Placement policy. Ifit does, remove the old Data Placement policy. 4. Set the Data Placementpolicy of the “Marketing” tag to the Cloud. Apply tag of “Large File”to 1. Find the tag named “Large File.” If all files that are over 1 GBnot found, create tag named “Large File.” 2. Write a custom script to:a. Get all files. b. Go through all files for files greater than 1 GB.i. Tag with “Large File” tag.

Based on the natural language command, the processing engine 602 maydetermine what action(s) the user 610 desires to invoke, and parse thenatural language for names of entities on the system to invoke thoseactions. If the processing engine 602 cannot determine the desiredaction(s), the processing engine may return an error message in someembodiments. In some embodiments, the processing engine 602 may suggestpossible actions to the user 610.

The processing engine 602 may determine the desired actions(s) andconvert the natural language to executable steps using the dictionary604. The dictionary 604 may store known natural language commands,terms, or phrases, and their corresponding executable steps. Forexample, the phrase “apply tag” may translate in the dictionary to thesteps of determining if the particular tag to be applied already exists;if not, creating the tag; and tagging the particular data with the tag.The processing engine 602 may use the dictionary 604 to identify keywords and phrases to determine the user's desired action(s). Below aresome examples of key words and their corresponding actions, which may bestored in the dictionary 604.

Key Words Action Move, Put, Place Change Data Placement PolicyPrioritize Change Data Priority Policy Encrypt, Secure Turn onEncryption

By identifying the key words stored in the dictionary 604, theprocessing engine 602 may generally ignore other words in the user'snatural language command. Below are some examples of natural languagecommands that may each seek to accomplish the same action.

“Move all Marketing data to the Cloud. The Cloud is the place for allMarketing data. The Cloud is for irrelevant information. Move all thingstagged with Marketing there. Um . . . could you please, when you get achance, put all Marketing stuff in the Cloud . . . Thanks!

Each of the above example natural language commands may result in datatagged with “Marketing” being moved to Cloud storage. The processingengine 602 may identify the key words of move, place, and put todetermine that the action desired is to relocate data. The processingengine 602 may analyze the remaining language of the commands todetermine that the data to be moved is data tagged as “Marketing,” andthe place to move the data is the Cloud storage. The processing engine602 may combine this information to develop executable steps.

Once the processing engine 602 determines the executable steps needed toperform the user's command, the processing engine may send theexecutable steps to the controller 606 for execution. However, beforesending the steps, in some embodiments, the processing engine 602 maydetermine if the steps are permissible and/or valid via a verificationprocess. The verification process may compare the executable steps toexisting tags, tag rules, policies, or other rules or policies of thesystem to determine if the executable steps will violate any existingelements. If the processing engine 602 determines that the executablesteps will violate an existing rule, policy, or other element of thesystem, the processing engine may return an error message. The errormessage may include the particular rule or policy violation in someembodiments. If the executable instructions do not violate any rule,policy, or other element, the processing engine 602 may send theexecutable steps to the controller 606.

In some embodiments, the controller 606 may be or include one of thesystem controllers described above with respect to FIG. 4. Thecontroller 606 may communicate with the tag rules engine, policy engine,mapping database, data storage, and/or other components of the system,as described above, in order to execute the executable steps.

In some embodiments, support services 608 may provide local or remotesupport for the natural language system 600. Support services 608 may beprovided via a cloud system, for example, and may communicate with thenatural language system 600 over a wired or wireless network. Thesupport services 608 may receive natural language commands that havebeen entered by the user 610. Additionally, the support services 608 mayreceive information about the commands, such as how the commands wereparsed or analyzed by the processing engine, any errors related to thecommands, the executable steps that were developed from the commands,and whether the executable steps were executed. In some embodiments,this information may be sent automatically to the support services 608by, for example, the processing engine 602. In other embodiments, thesupport services 608 may request information from the processing engine602. In some embodiments, the user 610 may have the option to sendfeedback, questions, or problems to the support services 608 related tothe user's use of the natural language system 600. In some embodiments,the support services 608 may track and/or analyze user commands todetermine, for example, what phrases, terms, and actions are mostcommonly used; what phrases, terms, and action users are having the mostsuccess with; and what phrases, terms, and actions users are having themost difficulty with. In some embodiments, the support services 608, theprocessing engine 602, and/or the dictionary 604 may incorporate machinelearning abilities.

In some embodiments, the support services 608 may analyze user commandsto develop new or different dictionary entries. The support services 608may additionally be configured to update or revise the dictionary 604.In some embodiments, the support services 608 may connect with andupdate the dictionary 604 automatically. In this way, the dictionary 604may be updated in real-time or substantially real-time. In someembodiments, some dictionaries or dictionary entries may be updatedautomatically, while others may be updated manually, partiallyautomatically, or after some delay or review. For example, somedictionary entries determined by the support services 608 may relate toonly particular client dictionaries, or may include proprietarydefinitions, such that only particular dictionaries may receive theupdated entries. Moreover, some clients or client dictionaries may bepermitted earlier access to new dictionary entries.

Each of the processing engine 602, dictionary 604, controller 606, andsupport services 608 may include only hardware, only software, or acombination of hardware and software. For example, in some embodiments,the processing engine 602, dictionary 604, controller 606, and/orsupport services 608 may include hardware, such as for example acontroller, processor, hardware circuitry, and/or other hardwarecomponents described herein. Hardware circuitry may include receivinghardware circuitry, data accessing hardware circuitry, sending hardwarecircuitry, or other hardware circuitry. The processing engine 602 mayhave language converting hardware circuitry, for example. The controller606 may have step execution or command execution hardware circuitry. Thesupport services 608 may have command analysis or language analysishardware circuitry. The support services 608 may additionally oralternatively have dictionary updating hardware circuitry. The variouscontrollers, processers, hardware circuitry, and/or other hardwarecomponents of the processing engine 602, dictionary 604, controller 606,and support services 608 may be configured to run or operate one or moresoftware programs or applications for receiving user commands, parsingand converting user commands, executing user commands, analyzing usercommands, and updating dictionary entries. Moreover, in someembodiments, any of the processing engine 602, dictionary 604, orsupport services 608 may be described as a layer, component, module, orelement of a system. Such layer, component, module, or element mayinclude hardware and/or software, as described above, for performing theabove-described operations.

Systems and methods of the present disclosure may generally provideimproved data management. The tags, tag rules, and policies describedherein may allow for more organized data storage and maintenance, suchthat data may be easily recalled, viewed, accessed, or otherwisemanipulated or used. Moreover, the systems and methods described hereinmay provide for more efficient data storage, as particular types ofdata, more or less important data, or data having higher or lower accessrates, for example, may be more easily identified and moved. In general,the system and methods described herein may allow for data to be easilymoved, manipulated, or used based on one or more attributes of the data.The systems and methods described herein may be particularly beneficialwith respect to a large data storage system having a high volume ofstored data files and/or objects.

Moreover, the systems and methods described herein may allow users orclients to organize, label, or store their data using any desiredcategories or naming schemes. That is, the systems and methods describedherein may allow users or clients to create custom tags, tag rules, andpolicies for data as desired. Further, by providing for application oftag rules and policies of the data upon ingest into the systemsdescribed herein, the data may be easily and efficiently categorized assoon as it enters the system, or shortly thereafter. In this way, thelife cycle of the data may be determined and tracked, and the data maybe easily accessible, as soon as it enters the system or shortlythereafter. This may allow users or clients to track and control largenumbers of files or objects without the need to manually individuallylabel, categorize, or otherwise handle each individual data item.Moreover, the natural language systems described herein may allow usersand clients to easily control the handling of their data without theneed to use complex programming language or instructions. Users andclients may easily and plainly state their desired commands for handlingand manipulating their data. Additionally, the systems and methodsdescribed herein may be implemented with existing data storage systems,and may generally use a client's existing databases.

One particular example of how methods and systems described herein maybe useful or beneficial to a user may relate to the need to recall datastored on relatively slow or less expensive storage. For example, wherea user runs reports on a portion or portions of a data set periodically,the report process may be particularly slow or cumbersome where some orall of the data has been stored on less expensive data storage devices.However, maintaining the data in faster or more expensive storagedevices, such as flash storage devices, may be too expensive,particularly where the data is only accessed periodically. Accordingly,systems and methods of the present disclosure may be used to tag thedata used in the periodic reporting. A policy may be created that movesthe data, based on this tag, to more expensive or faster storage for aday, or another period of time, in anticipation of the periodic reportcycle. The policy may further establish that the data is moved back toless expensive storage after the reporting is complete. In this way, thesystems and methods described herein may use tagging and policies tomove data to more or less expensive storage devices as needed, so as toensure fast processing times and access when needed, but to otherwisemaintain data in less expensive storage when not being used.

Similarly, as another particular example, systems and methods describedherein may allow for on-demand policies, such that data may be moved tofaster or more expensive storage as needed. For example, with respect toa tiered storage system, where infrequently accessed data is migrated toless expensive storage devices, if a user needs to access data on thoseless expensive device tiers, the user may define a policy on demand tomove data with one or more particular tags to a faster storage tier.

Hardware and software components of the present disclosure, as discussedherein, may be integral portions of a single computer or server or maybe connected parts of a computer network. The hardware and softwarecomponents may be located within a single location or, in otherembodiments, portions of the hardware and software components may bedivided among a plurality of locations and connected directly or througha global computer information network, such as the Internet.Accordingly, aspects of the various embodiments of the presentdisclosure can be practiced in distributed computing environments wherecertain tasks are performed by remote processing devices that are linkedthrough a communications network. In such a distributed computingenvironment, program modules may be located in local and/or remotestorage and/or memory systems.

As will be appreciated by one of skill in the art, the variousembodiments of the present disclosure may be embodied as a method(including, for example, a computer-implemented process, a businessprocess, and/or any other process), apparatus (including, for example, asystem, machine, device, computer program product, and/or the like), ora combination of the foregoing. Accordingly, embodiments of the presentdisclosure may take the form of an entirely hardware embodiment, anentirely software embodiment (including firmware, middleware, microcode,hardware description languages, etc.), or an embodiment combiningsoftware and hardware aspects. Furthermore, embodiments of the presentdisclosure may take the form of a computer program product on acomputer-readable medium or computer-readable storage medium, havingcomputer-executable program code embodied in the medium, that defineprocesses or methods described herein. A processor or processors mayperform the necessary tasks defined by the computer-executable programcode. Computer-executable program code for carrying out operations ofembodiments of the present disclosure may be written in an objectoriented, scripted or unscripted programming language such as Java,Perl, PHP, Visual Basic, Smalltalk, Python, Go, JavaScript, C++, or thelike. However, the computer program code for carrying out operations ofembodiments of the present disclosure may also be written inconventional procedural programming languages, such as the C programminglanguage or similar programming languages. A code segment may representa procedure, a function, a subprogram, a program, a routine, asubroutine, a module, an object, a software package, a class, or anycombination of instructions, data structures, or program statements. Acode segment may be coupled to another code segment or a hardwarecircuit by passing and/or receiving information, data, arguments,parameters, or memory contents. Information, arguments, parameters,data, etc. may be passed, forwarded, or transmitted via any suitablemeans including memory sharing, message passing, token passing, networktransmission, etc.

In the context of this document, a computer readable medium may be anymedium that can contain, store, communicate, or transport the programfor use by or in connection with the systems disclosed herein. Thecomputer-executable program code may be transmitted using anyappropriate medium, including but not limited to the Internet, opticalfiber cable, radio frequency (RF) signals or other wireless signals, orother mediums. The computer readable medium may be, for example but isnot limited to, an electronic, magnetic, optical, electromagnetic,infrared, or semiconductor system, apparatus, or device. More specificexamples of suitable computer readable medium include, but are notlimited to, an electrical connection having one or more wires or atangible storage medium such as a portable computer diskette, a harddisk, a random access memory (RAM), a read-only memory (ROM), anerasable programmable read-only memory (EPROM or Flash memory), acompact disc read-only memory (CD-ROM), or other optical or magneticstorage device. Computer-readable media includes, but is not to beconfused with, computer-readable storage medium, which is intended tocover all physical, non-transitory, or similar embodiments ofcomputer-readable media.

Various embodiments of the present disclosure may be described hereinwith reference to flowchart illustrations and/or block diagrams ofmethods, apparatus (systems), and computer program products. It isunderstood that each block of the flowchart illustrations and/or blockdiagrams, and/or combinations of blocks in the flowchart illustrationsand/or block diagrams, can be implemented by computer-executable programcode portions. These computer-executable program code portions may beprovided to a processor of a general purpose computer, special purposecomputer, or other programmable data processing apparatus to produce aparticular machine, such that the code portions, which execute via theprocessor of the computer or other programmable data processingapparatus, create mechanisms for implementing the functions/actsspecified in the flowchart and/or block diagram block or blocks.Alternatively, computer program implemented steps or acts may becombined with operator or human implemented steps or acts in order tocarry out an embodiment of the invention.

Additionally, although a flowchart or block diagram may illustrate amethod as comprising sequential steps or a process as having aparticular order of operations, many of the steps or operations in theflowchart(s) or block diagram(s) illustrated herein can be performed inparallel or concurrently, and the flowchart(s) or block diagram(s)should be read in the context of the various embodiments of the presentdisclosure. In addition, the order of the method steps or processoperations illustrated in a flowchart or block diagram may be rearrangedfor some embodiments. Similarly, a method or process illustrated in aflow chart or block diagram could have additional steps or operationsnot included therein or fewer steps or operations than those shown.Moreover, a method step may correspond to a method, a function, aprocedure, a subroutine, a subprogram, etc.

As used herein, the terms “substantially” or “generally” refer to thecomplete or nearly complete extent or degree of an action,characteristic, property, state, structure, item, or result. Forexample, an object that is “substantially” or “generally” enclosed wouldmean that the object is either completely enclosed or nearly completelyenclosed. The exact allowable degree of deviation from absolutecompleteness may in some cases depend on the specific context. However,generally speaking, the nearness of completion will be so as to havegenerally the same overall result as if absolute and total completionwere obtained. The use of “substantially” or “generally” is equallyapplicable when used in a negative connotation to refer to the completeor near complete lack of an action, characteristic, property, state,structure, item, or result. For example, an element, combination,embodiment, or composition that is “substantially free of” or “generallyfree of” an element may still actually contain such element as long asthere is generally no significant effect thereof.

In the foregoing description various embodiments of the presentdisclosure have been presented for the purpose of illustration anddescription. They are not intended to be exhaustive or to limit theinvention to the precise form disclosed. Obvious modifications orvariations are possible in light of the above teachings. The variousembodiments were chosen and described to provide the best illustrationof the principals of the disclosure and their practical application, andto enable one of ordinary skill in the art to utilize the variousembodiments with various modifications as are suited to the particularuse contemplated. All such modifications and variations are within thescope of the present disclosure as determined by the appended claimswhen interpreted in accordance with the breadth they are fairly,legally, and equitably entitled.

We claim:
 1. A data handling system comprising: a tag rule databasestoring tag rules as non-transitory computer readable media, each tagrule defining when data should be tagged; a policy database storingpolicies as non-transitory computer readable media, each policy definingwhen a policy operation should be performed with respect to tagged data;a controller programmed with computer executable instructions for:receiving data comprising at least one of a data file and a data object;comparing the received data to a tag rule to determine if the datashould be tagged with a tag; based on the comparison, tagging the databy storing an association between the data and the tag; and comparingthe tag to a policy to determine if a policy operation should beperformed with respect to the data; and a mapping database storing, asnon-transitory computer readable media, associations between data andtags.